Web Services is growing at a rapid rate and bringing into focus, new security issues in the web security landscape. How do we start assessing web services deployed at any corporate location? That is the fundamental question and once again it all starts with information gathering. UDDI, WSDL and SOAP are three cornerstones of this technology and they can be powerful tools for information gathering. Universal Business Registry (UBR) can help in footprinting using UDDI. UBR and technology fingerprinting can be used to perform discovery of web services. The scope in this paper is limited to only the first phase, namely the Web Services Information Gathering Phase. The entire methodology for web services information gathering is covered in this paper. The next two phases of the Assessment methodology are enumeration and defining attack vectors, both extensive topics too. These will be taken up in later papers.
This document is in PDF format. To view it click here.